DefenseWall, SBIE and SSM bypassed by Trojan

Discussion in 'other anti-malware software' started by Rasheed187, Jul 1, 2007.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Seems like another trojan is able to at least partially bypass these tools, this is really disappointing, you would think that the developers would know about most if not all possible attack vectors. :rolleyes:

    http://sandboxie.com/phpbb/viewtopic.php?t=1655
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    That link does not appear to work
     
  3. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    It's okay here ;)
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hee, wouldn't that be nice! It will soon be fixed. By the way Sandboxie wasn't bypassed?
     
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Is that link for sandboxie forum?
    404 error message when using that link.
    going to SandBoxie website and tring to go to forum that way I get this message.
     

    Attached Files:

  6. walking paradox

    walking paradox Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    234

    Attached Files:

  7. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hello rasheed, nice find with this trojan. i was able to access the thread on the sandboxie forum. it seems that this trojan is very buggy, some testers can't get it to "work". i want to test it vs geswall (i'll try doing it in shadow mode with powershadow first, just incase geswall can't stop it). i'll report back here.

    EDIT :

    kks i just finished testing it using geswall 2.5.1 (on my friends pc, he seems to like this version and refuses to upgrade so this is the version i tested) while under shadow mode in powershadow (2.6 english version).

    results :

    the trojan runs, makes a copy of itself in programs/config32 (no big deal since geswall doesn't stop isolated programs from creating files), then attempts to hijack explorer and write to the registry. geswall 2.5.1 stops this cold. the only thing it managed to do was copy itself to that directory (config32) and that's not unusual while isolated under geswall. i consider this a "pass" for geswall. i emailed gentlesecurity tech support so they can run this test on their end and see what happens.
     
    Last edited: Jul 1, 2007
  8. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    A little more info on that trojan(ironic:D)
    Checked out while sandboxed,took linkscanner with me.
     

    Attached Files:

  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for the pics LoneWolf.

    So, this trojan has to be started by the user? I guess this is why people keep talking about common sense being needed. :rolleyes:
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
     
  11. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    DSA blocks it with the warning:

    "A potential threat to physical memory direct access has been detected."

    Antivir, AVG, ClamAV, and Fortinet flag it as a backdoor trojan.

    Oddly, on subsequent attempts to run it, it pops up this dialog:

    http://i17.tinypic.com/53ai90o.png

    It appears to have some type of software protection.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Ilya,
    What's new about this trojan?
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    It is using interesting provileges escalation technique.
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Care to elaborate? :)
    Thanks Ilya.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, not everyone could make the trojan work, but it did work on my virtual machine, it manages to escape from the sandbox, and SSM can´t stop it from executing IE as a hidden process.

    Btw, a bit OT, but I just saw that Process Viewer (the "Process Monitor" part) is able to install a driver without SSM giving any alert about it, is this normal? :rolleyes:

    http://www.teamcti.com/pview/prcview.htm
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice work zopzop. Pls let us know their reply.

    Thanks
     
  18. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    they tested the latest version of geswall and it stopped it (you can even select the "terminate" option and smack down the trojan without breaking a sweat).
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Well my results are as follows( with GW 2.6) :

    When I run it GeSWalled, it created its copy in config32 folder in Program files. It also started an instance of explorer.exe and default browser that were isolated by GW. However PC became too slugish( almost near to stuck) as these isolated instances of explorer.exe and opera.exe( my default browser) were using most of CPU( have seen this issue when some malware processes are sandboxed by GW) so I killed them manually.

    Also GW gave attack notification about isolated instance of explorer.exe acting in a malicious way.

    However I am not sure what this trojan is actually supposed to do and how well GW prevents against it in reality. I will interested to know any details.

    SSM Pro and EQSecure don,t give any popup about launch of an instance of explorer.exe and default browser by the malware, very strange( these instances are invisible, no GUI, u can just see them in Process Explorer).
     
    Last edited: Jul 2, 2007
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It seems a very interesting piece of malware, once allowed to execute, it is bypassing SSM Pro and EQSecure totally. Not sure about PS and GeSWall.
     

    Attached Files:

    • 0.jpg
      0.jpg
      File size:
      45.8 KB
      Views:
      1,183
    • 1.jpg
      1.jpg
      File size:
      53.1 KB
      Views:
      1,170
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GeSWall log.
     

    Attached Files:

    Last edited: Jul 3, 2007
  22. herbalist

    herbalist Guest

    An interesting little demo trojan. Here's how it behaved on my box.
    I launched the original from my download folder, a fairly normal practice.
    first launch.gif
    On my box, SSM free alerts to the initial launching of the demo, but does not detect its injection into explorer.exe. Best I can tell, the process runs within explorer.exe entirely in memory. In this regard, the demo does defeat SSM free. I can't test the pro version.

    If I allow the initial launch, the demo creates the following:
    1, file - C:\windows\oreans.vxd
    2, folder - C:\program files\config32
    3, file - C:\program files\config32\prueba.exe (a copy of itself)
    My file system monitoring apps warned of this immediately.
    Once the demo attempts to connect out, it also creates
    C:\program files\config32\klog.dat

    SSM did alert to the attempt to launch Sea Monkey, my default browser. Most users will not see an alert for the attempt to launch their default browser as it's normally an allowed child process of explorer.exe. On mine, browsers are launched via batch files, partly as a security measure against exploits and partly to start other processes simultaneously.
    alert1.gif
    If I allow the launch of Sea Monkey, I then get an alert for a hook by Sea Monkey.
    alert2.gif
    By now, Kerio 2.1.5 is alerting to Sea Monkey's outbound connection attempt. The trojan demo ignored the proxy settings and tried to connect out directly. On my box, the browser has to connect out thru Proxomitron, which is launched by the same batch file as Sea Monkey. The trojan demo has some flaw that prevents it from connecting even when I allowed it. Not sure if it's the trojan or the sites it's trying to connect to. Seen 2 different IPs so far but this isn't particularly relevant to the test.

    If I kill the instance of Sea Monkey launched by the demo, SSM alerts to the attempt to launch the copy of prueba.exe in the config32 folder.
    alert4.gif
    I get the same alert if I kill explorer.exe with SSM, then restart it. When explorer is killed and restarted via SSM, the above alert is followed by this one.
    alert5.gif
    If I block the launching of prueba.exe after killing either Sea Monkey or Explorer.exe, the demo is killed.

    While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.

    This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.

    In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
    1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
    2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.

    Rick
     
    Last edited by a moderator: Jul 3, 2007
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Rick,

    Nice avitar, great post

    Regards Kees
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Which app is this?
    Thanks.
     
  25. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Just out of curiousity, I wonder if it can get passed Deep Freeze?
     
Thread Status:
Not open for further replies.